Contents
About this report
Report description
Sample testinng on Standard Notes from local host and standard notes.com
Report parameters
Contexts
No contexts were selected, so all contexts were included by default.
Sites
The following sites were included:
- http://localhost:3001
- https://app.standardnotes.com
(If no sites were selected, all sites were included by default.)
An included site must also be within one of the included contexts for its data to be included in the report.
Risk levels
Included: High, Medium, Low, Informational
Excluded: None
Confidence levels
Included: User Confirmed, High, Medium, Low
Excluded: User Confirmed, High, Medium, Low, False Positive
Summaries
Alert counts by risk and confidence
| Confidence | ||||||
|---|---|---|---|---|---|---|
| User Confirmed | High | Medium | Low | Total | ||
| Risk | High | 0 (0.0%) |
0 (0.0%) |
0 (0.0%) |
1 (7.7%) |
1 (7.7%) |
| Medium | 0 (0.0%) |
3 (23.1%) |
1 (7.7%) |
0 (0.0%) |
4 (30.8%) |
|
| Low | 0 (0.0%) |
0 (0.0%) |
3 (23.1%) |
1 (7.7%) |
4 (30.8%) |
|
| Informational | 0 (0.0%) |
0 (0.0%) |
2 (15.4%) |
2 (15.4%) |
4 (30.8%) |
|
| Total | 0 (0.0%) |
3 (23.1%) |
6 (46.2%) |
4 (30.8%) |
13 (100%) |
|
Alert counts by site and risk
| Risk | |||||
|---|---|---|---|---|---|
|
High (= High) |
Medium (>= Medium) |
Low (>= Low) |
Informational (>= Informational) |
||
| Site | http://localhost:3001 | 1 (1) |
1 (2) |
2 (4) |
0 (4) |
| https://app.standardnotes.com | 0 (0) |
3 (3) |
2 (5) |
4 (9) |
|
Alert counts by alert type
| Alert type | Risk | Count |
|---|---|---|
| Cloud Metadata Potentially Exposed | High | 1 (7.7%) |
| CSP: Wildcard Directive | Medium | 6 (46.2%) |
| CSP: script-src unsafe-eval | Medium | 1 (7.7%) |
| CSP: style-src unsafe-hashes | Medium | 3 (23.1%) |
| Cross-Domain Misconfiguration | Medium | 17 (130.8%) |
| Private IP Disclosure | Low | 1 (7.7%) |
| Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) | Low | 9 (69.2%) |
| Timestamp Disclosure - Unix | Low | 38 (292.3%) |
| X-Content-Type-Options Header Missing | Low | 7 (53.8%) |
| Information Disclosure - Suspicious Comments | Informational | 3 (23.1%) |
| Modern Web Application | Informational | 2 (15.4%) |
| Re-examine Cache-control Directives | Informational | 3 (23.1%) |
| Retrieved from Cache | Informational | 8 (61.5%) |
| Total | 13 |
Alerts
-
Risk=High, Confidence=Low (1)
-
http://localhost:3001 (1)
-
Cloud Metadata Potentially Exposed (1)
GET http://localhost:3001/latest/meta-data/
Alert tags Alert description The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.
All of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field.
Other info Based on the successful response status code cloud metadata may have been returned in the response. Check the response data to see if any cloud metadata has been returned.
The meta data returned can include information that would allow an attacker to completely compromise the system.
Request Request line and header section (216 bytes)
GET http://localhost:3001/latest/meta-data/ HTTP/1.1 host: aws.zaproxy.org user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 pragma: no-cache cache-control: no-cacheRequest body (0 bytes)
Response Status line and header section (228 bytes)
HTTP/1.1 200 OK X-Powered-By: Express Content-Type: text/html; charset=utf-8 Content-Length: 19 ETag: W/"13-OxsTL6IB85fkJxv9HO8uum0slCI" Date: Thu, 24 Oct 2024 00:04:49 GMT Connection: keep-alive Keep-Alive: timeout=5Response body (19 bytes)
Invalid Host headerAttack aws.zaproxy.orgSolution Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker.
-
-
-
Risk=Medium, Confidence=High (3)
-
http://localhost:3001 (1)
-
CSP: script-src unsafe-eval (1)
GET http://localhost:3001/
Alert tags Alert description Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
Other info script-src includes unsafe-eval.
Request Request line and header section (198 bytes)
GET http://localhost:3001/ HTTP/1.1 host: localhost:3001 user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 pragma: no-cache cache-control: no-cacheRequest body (0 bytes)
Response Status line and header section (759 bytes)
HTTP/1.1 200 OK X-Powered-By: Express Access-Control-Allow-Origin: * Content-Security-Policy: default-src https: 'self'; base-uri 'self'; child-src * blob:; connect-src * blob:; font-src * data:; form-action 'self'; frame-ancestors * file:; frame-src * blob:; img-src 'self' * data: blob:; manifest-src 'self'; media-src 'self' blob: *.standardnotes.com; object-src 'self' blob: *.standardnotes.com; script-src 'self' 'sha256-r26E+iPOhx7KM7cKn4trOSoD8u5E7wL7wwJ8UrR+rGs=' 'unsafe-eval' 'wasm-unsafe-eval'; style-src *; Content-Type: text/html; charset=utf-8 Accept-Ranges: bytes Content-Length: 2575 ETag: W/"a0f-5gVCjcWMu95t09y6MQ6NXZo929g" Vary: Accept-Encoding Date: Thu, 24 Oct 2024 00:04:44 GMT Connection: keep-alive Keep-Alive: timeout=5Response body (2575 bytes)
<!DOCTYPE html> <html> <head> <meta charset="utf-8"/> <meta content="IE=edge" http-equiv="X-UA-Compatible"/> <meta content="viewport-fit=cover, width=device-width, initial-scale=1" name="viewport"/> <link rel="canonical" href="https://app.standardnotes.com" /> <link href="favicon/apple-touch-icon.png" rel="apple-touch-icon" sizes="180x180"></link> <link href="favicon/favicon-32x32.png" rel="icon" sizes="32x32" type="image/png"></link> <link href="favicon/favicon-16x16.png" rel="icon" sizes="16x16" type="image/png"></link> <link href="manifest.webmanifest" rel="manifest"></link> <link color="#5bbad5" href="favicon/safari-pinned-tab.svg" rel="mask-icon"></link> <meta name="theme-color" content="#ffffff"> <meta content="Standard Notes" name="apple-mobile-web-app-title"/> <meta content="Standard Notes" name="application-name"/> <base href="/"></base> <title>Notes · Standard Notes</title> <meta name="description" content="Standard Notes is an easy-to-use encrypted note-taking app for digitalists and professionals. Capture your notes, documents, and life's work all in one place."/> <meta name="twitter:title" content="Standard Notes, an end-to-end encrypted notes app."/> <meta name="twitter:description" content="Standard Notes is an easy-to-use encrypted note-taking app for digitalists and professionals. Capture your notes, documents, and life's work all in one place."/> <meta name="twitter:site" content="@standardnotes"/> <meta name="twitter:card" content="summary"/> <meta name="og:title" content="Standard Notes, an end-to-end encrypted notes app."/> <meta name="og:description" content="Standard Notes is an easy-to-use encrypted note-taking app for digitalists and professionals. Capture your notes, documents, and life's work all in one place."/> <!-- CSP script-src hash: sha256-r26E+iPOhx7KM7cKn4trOSoD8u5E7wL7wwJ8UrR+rGs= --> <script> window.defaultSyncServer = "https://api.standardnotes.com"; window.defaultFilesHost = "https://files.standardnotes.com"; window.enabledUnfinishedFeatures = false; window.websocketUrl = "wss://sockets.standardnotes.com"; window.purchaseUrl = "https://standardnotes.com/purchase"; window.plansUrl = "https://standardnotes.com/plans"; window.dashboardUrl = "https://standardnotes.com/dashboard"; </script> <script src="./app.js" debug="false"></script> <link rel="stylesheet" media="all" href="./app.css" debug="false" /> </head> <body> </body> </html>Parameter Content-Security-PolicyEvidence default-src https: 'self'; base-uri 'self'; child-src * blob:; connect-src * blob:; font-src * data:; form-action 'self'; frame-ancestors * file:; frame-src * blob:; img-src 'self' * data: blob:; manifest-src 'self'; media-src 'self' blob: *.standardnotes.com; object-src 'self' blob: *.standardnotes.com; script-src 'self' 'sha256-r26E+iPOhx7KM7cKn4trOSoD8u5E7wL7wwJ8UrR+rGs=' 'unsafe-eval' 'wasm-unsafe-eval'; style-src *;Solution Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
-
-
https://app.standardnotes.com (2)
-
CSP: Wildcard Directive (1)
GET https://app.standardnotes.com/sitemap.xml
Alert tags Alert description Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
Other info The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined:
style-src, img-src, frame-src, frame-ancestors, font-src, worker-src
The directive(s): frame-ancestors are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything.
Request Request line and header section (224 bytes)
GET https://app.standardnotes.com/sitemap.xml HTTP/1.1 host: app.standardnotes.com user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 pragma: no-cache cache-control: no-cacheRequest body (0 bytes)
Response Status line and header section (1364 bytes)
HTTP/1.1 404 Not Found Date: Thu, 24 Oct 2024 00:02:56 GMT Content-Type: text/html Connection: keep-alive last-modified: Mon, 14 Oct 2024 13:09:55 GMT x-frame-options: SAMEORIGIN referrer-policy: no-referrer-when-downgrade content-security-policy: default-src https: 'self'; base-uri 'self'; child-src * blob:; connect-src api.standardnotes.com sync.standardnotes.org files.standardnotes.com ws://sockets.standardnotes.com raw.githubusercontent.com listed.to blob:; font-src * data:; form-action 'self'; frame-ancestors * file:; frame-src * blob:; img-src 'self' * data: blob:; manifest-src 'self'; media-src 'self' blob: *.standardnotes.com; object-src 'self' blob: *.standardnotes.com; script-src 'self' 'sha256-r26E+iPOhx7KM7cKn4trOSoD8u5E7wL7wwJ8UrR+rGs=' 'wasm-unsafe-eval'; style-src * 'unsafe-hashes' 'sha256-jpJOxTrdc58x4woq2mVygDDIvjIAGNkLZ2yfx4ppdXo=' 'sha256-tbWZ4NP1341cpcrZVDn7B3o9bt/muXgduILAnC0Zbaw='; x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains; preload vary: Accept-Encoding x-cache: Error from cloudfront via: 1.1 486e34c9a7512d6a57a32ef8a8030870.cloudfront.net (CloudFront) x-amz-cf-pop: ATL59-P3 x-amz-cf-id: S5cHkECqUqsAViZafNaL_ue49ygVvLszO-JAbc7WCZIGLizXutzDQQ== Age: 34951 cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8d75b36aff60139b-ATL content-length: 1564Response body (1564 bytes)
<!DOCTYPE html> <html> <head> <title>The page you were looking for doesn't exist (404)</title> <meta name="viewport" content="width=device-width,initial-scale=1"> <style> body { background-color: #EFEFEF; color: #2E2F30; text-align: center; font-family: arial, sans-serif; margin: 0; } div.dialog { width: 95%; max-width: 33em; margin: 4em auto 0; } div.dialog > div { border: 1px solid #CCC; border-right-color: #999; border-left-color: #999; border-bottom-color: #BBB; border-top: #B00100 solid 4px; border-top-left-radius: 9px; border-top-right-radius: 9px; background-color: white; padding: 7px 12% 0; box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17); } h1 { font-size: 100%; color: #730E15; line-height: 1.5em; } div.dialog > p { margin: 0 0 1em; padding: 1em; background-color: #F7F7F7; border: 1px solid #CCC; border-right-color: #999; border-left-color: #999; border-bottom-color: #999; border-bottom-left-radius: 4px; border-bottom-right-radius: 4px; border-top-color: #DADADA; color: #666; box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17); } </style> </head> <body> <!-- This file lives in public/404.html --> <div class="dialog"> <div> <h1>The page you were looking for doesn't exist.</h1> <p>You may have mistyped the address or the page may have moved.</p> </div> <p>If you are the application owner check the logs for more information.</p> </div> </body> </html>Parameter content-security-policyEvidence default-src https: 'self'; base-uri 'self'; child-src * blob:; connect-src api.standardnotes.com sync.standardnotes.org files.standardnotes.com ws://sockets.standardnotes.com raw.githubusercontent.com listed.to blob:; font-src * data:; form-action 'self'; frame-ancestors * file:; frame-src * blob:; img-src 'self' * data: blob:; manifest-src 'self'; media-src 'self' blob: *.standardnotes.com; object-src 'self' blob: *.standardnotes.com; script-src 'self' 'sha256-r26E+iPOhx7KM7cKn4trOSoD8u5E7wL7wwJ8UrR+rGs=' 'wasm-unsafe-eval'; style-src * 'unsafe-hashes' 'sha256-jpJOxTrdc58x4woq2mVygDDIvjIAGNkLZ2yfx4ppdXo=' 'sha256-tbWZ4NP1341cpcrZVDn7B3o9bt/muXgduILAnC0Zbaw=';Solution Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
-
CSP: style-src unsafe-hashes (1)
GET https://app.standardnotes.com/sitemap.xml
Alert tags Alert description Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
Other info style-src includes unsafe-hashes, an attacker will be able to use any of the code covered by such hashes.
Request Request line and header section (224 bytes)
GET https://app.standardnotes.com/sitemap.xml HTTP/1.1 host: app.standardnotes.com user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 pragma: no-cache cache-control: no-cacheRequest body (0 bytes)
Response Status line and header section (1364 bytes)
HTTP/1.1 404 Not Found Date: Thu, 24 Oct 2024 00:02:56 GMT Content-Type: text/html Connection: keep-alive last-modified: Mon, 14 Oct 2024 13:09:55 GMT x-frame-options: SAMEORIGIN referrer-policy: no-referrer-when-downgrade content-security-policy: default-src https: 'self'; base-uri 'self'; child-src * blob:; connect-src api.standardnotes.com sync.standardnotes.org files.standardnotes.com ws://sockets.standardnotes.com raw.githubusercontent.com listed.to blob:; font-src * data:; form-action 'self'; frame-ancestors * file:; frame-src * blob:; img-src 'self' * data: blob:; manifest-src 'self'; media-src 'self' blob: *.standardnotes.com; object-src 'self' blob: *.standardnotes.com; script-src 'self' 'sha256-r26E+iPOhx7KM7cKn4trOSoD8u5E7wL7wwJ8UrR+rGs=' 'wasm-unsafe-eval'; style-src * 'unsafe-hashes' 'sha256-jpJOxTrdc58x4woq2mVygDDIvjIAGNkLZ2yfx4ppdXo=' 'sha256-tbWZ4NP1341cpcrZVDn7B3o9bt/muXgduILAnC0Zbaw='; x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains; preload vary: Accept-Encoding x-cache: Error from cloudfront via: 1.1 486e34c9a7512d6a57a32ef8a8030870.cloudfront.net (CloudFront) x-amz-cf-pop: ATL59-P3 x-amz-cf-id: S5cHkECqUqsAViZafNaL_ue49ygVvLszO-JAbc7WCZIGLizXutzDQQ== Age: 34951 cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8d75b36aff60139b-ATL content-length: 1564Response body (1564 bytes)
<!DOCTYPE html> <html> <head> <title>The page you were looking for doesn't exist (404)</title> <meta name="viewport" content="width=device-width,initial-scale=1"> <style> body { background-color: #EFEFEF; color: #2E2F30; text-align: center; font-family: arial, sans-serif; margin: 0; } div.dialog { width: 95%; max-width: 33em; margin: 4em auto 0; } div.dialog > div { border: 1px solid #CCC; border-right-color: #999; border-left-color: #999; border-bottom-color: #BBB; border-top: #B00100 solid 4px; border-top-left-radius: 9px; border-top-right-radius: 9px; background-color: white; padding: 7px 12% 0; box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17); } h1 { font-size: 100%; color: #730E15; line-height: 1.5em; } div.dialog > p { margin: 0 0 1em; padding: 1em; background-color: #F7F7F7; border: 1px solid #CCC; border-right-color: #999; border-left-color: #999; border-bottom-color: #999; border-bottom-left-radius: 4px; border-bottom-right-radius: 4px; border-top-color: #DADADA; color: #666; box-shadow: 0 3px 8px rgba(50, 50, 50, 0.17); } </style> </head> <body> <!-- This file lives in public/404.html --> <div class="dialog"> <div> <h1>The page you were looking for doesn't exist.</h1> <p>You may have mistyped the address or the page may have moved.</p> </div> <p>If you are the application owner check the logs for more information.</p> </div> </body> </html>Parameter content-security-policyEvidence default-src https: 'self'; base-uri 'self'; child-src * blob:; connect-src api.standardnotes.com sync.standardnotes.org files.standardnotes.com ws://sockets.standardnotes.com raw.githubusercontent.com listed.to blob:; font-src * data:; form-action 'self'; frame-ancestors * file:; frame-src * blob:; img-src 'self' * data: blob:; manifest-src 'self'; media-src 'self' blob: *.standardnotes.com; object-src 'self' blob: *.standardnotes.com; script-src 'self' 'sha256-r26E+iPOhx7KM7cKn4trOSoD8u5E7wL7wwJ8UrR+rGs=' 'wasm-unsafe-eval'; style-src * 'unsafe-hashes' 'sha256-jpJOxTrdc58x4woq2mVygDDIvjIAGNkLZ2yfx4ppdXo=' 'sha256-tbWZ4NP1341cpcrZVDn7B3o9bt/muXgduILAnC0Zbaw=';Solution Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
-
-
-
Risk=Medium, Confidence=Medium (1)
-
https://app.standardnotes.com (1)
-
Cross-Domain Misconfiguration (1)
GET https://app.standardnotes.com/favicon/apple-touch-icon.png
Alert tags Alert description Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.
Other info The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
Request Request line and header section (282 bytes)
GET https://app.standardnotes.com/favicon/apple-touch-icon.png HTTP/1.1 host: app.standardnotes.com user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 pragma: no-cache cache-control: no-cache referer: https://app.standardnotes.com/Request body (0 bytes)
Response Status line and header section (1616 bytes)
HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 00:02:56 GMT Content-Type: image/png Content-Length: 1200 Connection: keep-alive x-amz-id-2: FxkY/Xer4NherVqdqri2DzU9AoD0ssvAM1aRhobk8FnM3HaJkcNIQDzTDnPzOPL2s445jzi8Kqs= x-amz-request-id: P3RR729HJ8SZTV0P last-modified: Sat, 14 Sep 2024 09:57:21 GMT etag: "4fb4a113e0c95af8365b24d71ee58d37" vary: Accept-Encoding vary: Origin x-frame-options: SAMEORIGIN referrer-policy: no-referrer-when-downgrade content-security-policy: default-src https: 'self'; base-uri 'self'; child-src * blob:; connect-src api.standardnotes.com sync.standardnotes.org files.standardnotes.com ws://sockets.standardnotes.com raw.githubusercontent.com listed.to blob:; font-src * data:; form-action 'self'; frame-ancestors * file:; frame-src * blob:; img-src 'self' * data: blob:; manifest-src 'self'; media-src 'self' blob: *.standardnotes.com; object-src 'self' blob: *.standardnotes.com; script-src 'self' 'sha256-r26E+iPOhx7KM7cKn4trOSoD8u5E7wL7wwJ8UrR+rGs=' 'wasm-unsafe-eval'; style-src * 'unsafe-hashes' 'sha256-jpJOxTrdc58x4woq2mVygDDIvjIAGNkLZ2yfx4ppdXo=' 'sha256-tbWZ4NP1341cpcrZVDn7B3o9bt/muXgduILAnC0Zbaw='; x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains; preload access-control-allow-origin: * x-cache: Hit from cloudfront via: 1.1 d42a2acf7d37cb697e14666acd5e1866.cloudfront.net (CloudFront) x-amz-cf-pop: ATL59-P3 x-amz-cf-id: uuHvN6DXdZW_FYnNMeF6H9bkcE95RAf04g1vYp23CP9iqdF_1x6GWA== Age: 2264 Cache-Control: max-age=14400 CF-Cache-Status: HIT Accept-Ranges: bytes Server: cloudflare CF-RAY: 8d75b36c9d146777-ATLResponse body (1200 bytes)
PNG IHDR ´ ´ ö gAMA ±üa cHRM z&
-
-
ZAP